Home Blogs Contents Disclaimer Contact Us About Us Advertisement Privacy Policy
Androcrunch Logo

Blog Post

Home > Blog > VLC Critical RCE Flaw, Do you really need to uninstall VLC?

VLC Critical RCE Flaw, Do you really need to uninstall VLC?

By Admin July 25th 2019 176

Few days ago on 19th July, 2019 a German publication Heise Online reported about a critical unpatched vulnerability that when exploited could cause DOS attack, ex-filtrate data or manipulate files.

The flaw was residing in VLC’s modules/demux/mkv/demux.cpp protocol

as a heap-based buffer overflow. The flaw could be easily exploited by just simply opening specially crafted a .mp4 file.

However, from the tweet from VideoLAN , we see that the flaw was on a third party library called “libebml” which was already fixed more that 16 months ago.

The original tweet is as:

“About the "security issue" on #VLC : VLC is not vulnerable. tl;dr: the issue is in a 3rd party library, called libebml, which was fixed more than 16 months ago. VLC since version 3.0.3 has the correct version shipped, and @MITREcorp did not even check their claim.”

Follow the tweet on twitter.

Now the issue arises when neither the MITRECorp nor the researcher/s took time to analyze the vulnerability, but instead had a CVE 2019-13615 with score of

After it was found that the vulnerability was wrongly reported the CVE-2019-13615 score was updated to 5.5 medium.

Current details about CVE-2019-13615 can be found on NVD website .

According to the policy of MITRECorp,

“You should make a good faith effort to notify the affected vendor and work with them to ensure that a patch is available prior to publicly disclosing the vulnerability. Information is more accurate and complete when researchers and vendors work together. This practice also reduces the likelihood of a duplicate CVE ID being issued, which can happen when both a researcher and vendor request CVE IDs. Without independent confirmation or vendor acknowledgment, it may not be possible to determine if the vulnerability is real, which could result in a request for a CVE ID being denied. ”

But it can be seen that the policy was not followed, and a CVE Id was given without reporting to VideoLAN nor checking if the RCE was real.

Situation, like this gives misinformation to the end user regarding a product which causes the users to carry wrong information, degrading the dignity of the product.

The following tweet from VideoLAN explains it,

“This is not the first time that @MITREcorp does that. In fact, they NEVER EVER contact us when they find security issues on VLC, and we always discover that after they are public, when a user or a distribution asks us.”

Various blog posts made vulnerability look more critical that it was really and reported already patched vulnerability. Causing a outbreak of misinformation. Some authors took pain to update the posts after knowing that the vulnerability was already, while most of them still haven’t changed.

MIUI 11 Confirmed Release Date in INDIA?


MIUI 11 Confirmed Release Date in INDIA?

Do you know the new version of MIUI is coming very soon & currently is on testing? If not then here'..

June 24th 2019

Latest Blog Posts